General Design/ Use Case Help Question

Hello, I am looking into using keycloak as my company’s new IdP provider in the cloud, and im not sure if im understanding what keycloak does vs how i want to use it. IF anyone could clarify my confusion I would appreciate it.

  1. we currently have our company’s username and password in a custom application hosted locally, we want to start using an iDP in the cloud because we want to move our apps to the cloud.
  2. we need the idp to be seperated by tenant, so our tenant would have its own realm, and other tenants that we serve would have their own realm.
  3. if a tenant has their own idp, we would from our server app, redirect the user to the idp based on their domain.
  4. we would like to push our users to keycloak and have our users start using keycloak for our apps AD.
  5. We need keycloak to become an authroization provider as well for each tenant and even for tenants who are not authenticated via keycloak. (do we want to use keycloak to federate so we can pick up the tenat’s users? or have the tenants upload their users to keycloak, then we create an admin user for each tenant to have them manage custom application permissions)
  6. after authentication occurs, we need to retrieve all the permissions that a user has, so that we can make authorization based decisions in our app.

Our intention to use keycloak is:
When a user browses to our app, we redirect to their registered idp,(could be keycloak, might not be, if need be, we could have keycloak federate to their idp instead of our app)
After a user is authenticated, we need to retrieve all the permissions that user has and save it in our app server for storage, we want to use our own cache for storing a user’s logged in state. If this is not recommended please recommend the suggested alternative.

Please let me know if you can explain in more detail if my approach is supportable using keycloak.

As of now, my idea is to allow users to register their own idp via saml, and I have created a saml adapter for keycloak which works, but im having trouble getting the user’s permissions by email after they are authenticated. If i can get the user’s permissions via email, and I can upload other tenant’s users to keycloak so that a tenant admin can manage their permissions, my approach should work.

Thanks for reading. Hope to get a response here.